TechSpot

Virus: System Check

Inactive
By Emerik
Jan 9, 2012
  1. Hello. First off I would like to mention that I am new to this forum. But I encountered a virus called "System Check" yesterday, and saw on this forum that you might be of help. I should mention that I have tried a few other solutions to the problem, running for example Microsoft Security Essentials, which didn't find anything. I also ran the Malwarebytes Anti Malware, which found I think three threats, and now at least system check does not keep popping up. Although, I still have the problem that all files are hidden, etc, so I think that it is still lurking in the background. I hope my attempts of removing it hasn't ruined my chances of getting rid of it.

    I hope you can help me. Thank you in advance.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===========================================================

    Let's see, if we can recover your missing features.
    Download and run UnHide
    Let me know, if it worked.
     
  3. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    Different language

    Hi again, I will post the logs you requested soon, but first I should say that when I installed Malwarebyte I installed it in swedish... therefore the logs are in swedish too. Is this a problem?
     
  4. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    No.................
     
  5. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    Logs

    Here are the logs! Thankful for your help. :)

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Databasversion: v2011.12.24.05

    Windows 7 Service Pack 1 x64 NTFS (Felsäkert läge)
    Internet Explorer 9.0.8112.16421
    Administrator :: SR9EPGOY [administratör]

    2012-01-08 21:14:09
    mbam-log-2012-01-08 (21-14-09).txt

    Skanningstyp: Snabbskanning
    Aktiverade skanningsalternativ: Minne | Start | Register | Filsystem | Heuristik/Extra | Heuristik/Shuriken | PUP | PUM
    Inaktiverade skanningsalternativ: P2P
    Antal skannade objekt: 172401
    Förfluten tid: 1 minut(er), 7 sekund(er)

    Upptäckta minnesprocesser: 0
    (Inga skadliga poster hittades)

    Upptäckta minnesmoduler: 0
    (Inga skadliga poster hittades)

    Upptäckta registernycklar: 0
    (Inga skadliga poster hittades)

    Upptäckta registervärden: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|uEwKkQfYkoLVFj.exe (Rogue.FakeHDD) -> Data: C:\ProgramData\uEwKkQfYkoLVFj.exe -> Sattes i karantän och togs bort.

    Upptäckta registerdataposter: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Dåligt: (1) Bra: (0) -> Sattes i karantän och reparerades framgångsrikt.

    Upptäckta mappar: 0
    (Inga skadliga poster hittades)

    Upptäckta filer: 1
    C:\ProgramData\uEwKkQfYkoLVFj.exe (Rogue.FakeHDD) -> Sattes i karantän och togs bort.

    (klar)

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-10 16:05:08
    Windows 6.1.7601 Service Pack 1
    Running: 2vspwgjb.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52afe0241b
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52afe0241b@cc52afe02282 0x9A 0x6B 0x42 0x1B ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52afe0241b@cc52afe02388 0x8A 0x8D 0x2A 0x40 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52afe0241b (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52afe0241b@cc52afe02282 0x9A 0x6B 0x42 0x1B ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52afe0241b@cc52afe02388 0x8A 0x8D 0x2A 0x40 ...

    ---- EOF - GMER 1.0.15 ----

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Enterprise
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2011-08-08 15:07:30
    System Uptime: 2012-01-10 13:59:21 (3 hours ago)
    .
    Motherboard: LENOVO | | 4298RR3
    Processor: Intel(R) Core(TM) i3-2310M CPU @ 2.10GHz | CPU | 798/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 239,45 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP3: 2012-01-09 16:16:22 - Windows Backup
    RP4: 2012-01-10 10:17:43 - Windows Update
    .
    ==== Installed Programs ======================
    .
    .
    Adobe AIR
    Adobe Community Help
    Adobe Download Assistant
    Adobe Photoshop CS5.1
    Adobe Reader 9.3.4
    Age of Empires 2
    µTorrent
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    COMODO GeekBuddy
    D3DX10
    Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Facebook Video Calling 1.0.0.8953
    Google Chrome
    Intel PROSet Wireless
    Intel(R) Control Center
    Intel(R) Identity Protection Technology 1.0.74.0
    Intel(R) Management Engine Components
    Java Auto Updater
    Java(TM) 6 Update 26
    League of Legends
    Lenovo Screen Reading Optimizer
    Malwarebytes Anti-Malware version 1.60.0.1800
    Mesh Runtime
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access MUI (Swedish) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Excel MUI (Swedish) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office Groove MUI (Swedish) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office InfoPath MUI (Swedish) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office OneNote MUI (Swedish) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office Outlook MUI (Swedish) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office PowerPoint MUI (Swedish) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (Finnish) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (German) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proof (Swedish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Proofing (Swedish) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Publisher MUI (Swedish) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared MUI (Swedish) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Office Word MUI (Swedish) 2010
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFCLOC_x86
    Mobile Partner
    Mozilla Firefox 8.0.1 (x86 en-US)
    MSVCRT
    Pando Media Booster
    PDF Settings CS5
    PokerStars
    RICOH_Media_Driver_v2.14.18.01
    Security Update for Microsoft InfoPath 2010 (KB2510065)
    Security Update for Microsoft Office 2010 (KB2289078)
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2553353) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
    Security Update for Microsoft Publisher 2010 (KB2409055)
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Word 2010 (KB2345000)
    Skype Click to Call
    Skype™ 5.5
    Spotify
    StarCraft II
    System Requirements Lab CYRI
    System Update
    TablEdit 2.71
    ThinkPad Energispararen
    ThinkPad Tablet Button Driver
    ThinkPad Tablettmeny
    ThinkPad UltraNav-guiden
    ThinkPad Wireless LAN Adapter Software
    ThinkVantage Access Connections
    Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2202188)
    Update for Microsoft Office 2010 (KB2413186)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2523113)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553455) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
    Update for Microsoft Outlook Social Connector (KB2583935)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    WinPcap 4.1.2
    VLC media player 1.1.2
    Yawcam 0.3.6
    Zatacka 0.1.7
    .
    ==== End Of File ===========================

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
    Run by Administrator at 16:07:55 on 2012-01-10
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.46.1033.18.3983.2230 [GMT 1:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
    FW: COMODO Firewall *Disabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
    C:\Windows\system32\ibmpmsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
    C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
    C:\Program Files (x86)\ThinkPad\Tablettmeny\ASR\ASRSVC.exe
    C:\Windows\system32\CxAudMsg64.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
    C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
    C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
    C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
    C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Windows\SysWOW64\SAsrv.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\ThinkPad\Tablettmeny\TSMService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
    C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\Lenovo\Screen Reading Optimizer\SROSVC.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files (x86)\Lenovo\System Update\SUService.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    C:\PROGRA~1\Lenovo\Zoom\TPSCREX.EXE
    C:\Windows\system32\Dwm.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
    C:\Windows\Explorer.EXE
    C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE
    C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
    C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
    C:\Windows\System32\TpShocks.exe
    C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Lenovo\Screen Reading Optimizer\SRORest.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\rundll32.exe
    C:\Program Files (x86)\ThinkPad\Tablettmeny\TSMResident.exe
    C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe
    C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe
    C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\REGSVR32.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://home.vrg.se
    uDefault_Page_URL = https://home.vrg.se
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
    uRun: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [Facebook Update] "C:\Users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
    uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
    mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [TSMResident] "C:\Program Files (x86)\ThinkPad\Tablettmeny\TSMRESIDENT.EXE" /r
    mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
    mRun: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
    mRun: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
    StartupFolder: C:\Users\ADMINI~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    StartupFolder: C:\Users\ADMINI~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SKRMUR~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{CD6E82E3-2EB6-4DBC-B2EA-549B3A090076} : NameServer = 156.154.70.25,156.154.71.25
    TCP: Interfaces\{CD6E82E3-2EB6-4DBC-B2EA-549B3A090076} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{D98510C1-CB1C-4201-86A2-F5D8C678625D} : DhcpNameServer = 192.168.42.129
    TCP: Interfaces\{E93545F4-C6D4-45E5-8938-9E2C64A6FFAC} : DhcpNameServer = 80.251.201.177 80.251.201.178
    TCP: Interfaces\{FCC8F49D-FEFF-4E2B-B8AA-0A332256AFA6} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{FCC8F49D-FEFF-4E2B-B8AA-0A332256AFA6}\05F6E64757377516C6C696E63702960586F6E656 : DhcpNameServer = 195.54.122.211 195.54.122.221
    TCP: Interfaces\{FCC8F49D-FEFF-4E2B-B8AA-0A332256AFA6}\2427F6977457274737F6E6 : DhcpNameServer = 8.8.8.8
    TCP: Interfaces\{FCC8F49D-FEFF-4E2B-B8AA-0A332256AFA6}\652574 : DhcpNameServer = 83.233.79.36 83.233.79.36
    TCP: Interfaces\{FCC8F49D-FEFF-4E2B-B8AA-0A332256AFA6}\D416D6D6161212 : DhcpNameServer = 83.255.245.11 193.150.193.150
    TCP: Interfaces\{FCC8F49D-FEFF-4E2B-B8AA-0A332256AFA6}\D4F62696C637572766 : DhcpNameServer = 83.233.79.36 83.233.79.36
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    LSA: Notification Packages = scecli ACGina C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll
    {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
    {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
    {9030D464-4C02-4ABF-8ECC-5164760863C6}
    {AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    {B4F3A835-0E21-4959-BA22-42B3008E02FF}
    {DBC80044-A445-435b-BC74-9C25C1C588A9}
    mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [TSMResident] "C:\Program Files (x86)\ThinkPad\Tablettmeny\TSMRESIDENT.EXE" /r
    mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
    mRun-x64: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
    mRun-x64: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
    IE-X64: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
    AppInit_DLLs-X64: C:\Windows\SysWOW64\guard32.dll
    SEH-X64: {B5A7F190-DDA6-4420-B3BA-52453494E6CD}: Groove GFS Stub Execution Hook
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\44rgjj9n.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - facebook.com
    FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\Administrator\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
    FF - plugin: C:\Users\Administrator\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 DzHDD64;DzHDD64;C:\Windows\system32\DRIVERS\DzHDD64.sys --> C:\Windows\system32\DRIVERS\DzHDD64.sys [?]
    R0 TPDIGIMN;TPDIGIMN;C:\Windows\system32\DRIVERS\ApsHM64.sys --> C:\Windows\system32\DRIVERS\ApsHM64.sys [?]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys --> C:\Windows\system32\DRIVERS\cmdguard.sys [?]
    R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys --> C:\Windows\system32\DRIVERS\cmdhlp.sys [?]
    R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]
    R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 ASRSVC;ASR Service;C:\Program Files (x86)\ThinkPad\Tablettmeny\ASR\ASRSVC.exe [2011-9-5 79136]
    R2 CLPSLS;COMODO livePCsupport Service;C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1267000]
    R2 CxAudMsg;Conexant Audio Message Service;C:\Windows\system32\CxAudMsg64.exe --> C:\Windows\system32\CxAudMsg64.exe [?]
    R2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-7 210896]
    R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\Communications Utility\CamMute.exe [2011-8-8 41320]
    R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2011-7-5 45496]
    R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [2011-8-8 59240]
    R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe [2011-7-5 93032]
    R2 PwmEWSvc;Cisco EnergyWise Enabler;C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.exe [2011-8-8 148840]
    R2 risdxc;risdxc;C:\Windows\system32\DRIVERS\risdxc64.sys --> C:\Windows\system32\DRIVERS\risdxc64.sys [?]
    R2 SAService;Conexant SmartAudio service;C:\Windows\System32\SASrv.exe [2011-9-5 446592]
    R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [2009-3-13 13840]
    R2 SROSVC;Screen Reading Optimizer Service Program;C:\Program Files (x86)\Lenovo\Screen Reading Optimizer\SROSVC.exe [2011-8-8 443240]
    R2 TabletSVC;TABLET Service;C:\Program Files (x86)\ThinkPad\Tablettmeny\TSMService.exe [2011-9-5 83440]
    R2 TPHKLOAD;Lenovo Hotkey Client Loader;C:\Program Files\Lenovo\HOTKEY\tphkload.exe [2011-7-5 144232]
    R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2011-7-5 64952]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-8-8 2656280]
    R3 5U877;USB Video Device;C:\Windows\system32\DRIVERS\5U877.sys --> C:\Windows\system32\DRIVERS\5U877.sys [?]
    R3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
    R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
    R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
    R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    R3 NisSrv;Microsoft - nätverkskontroll;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
    S3 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2011-8-8 477032]
    S3 ewusbnet;HUAWEI USB-NDIS miniport;C:\Windows\system32\DRIVERS\ewusbnet.sys --> C:\Windows\system32\DRIVERS\ewusbnet.sys [?]
    S3 hwusbdev;Huawei DataCard USB PNP Device;C:\Windows\system32\DRIVERS\ewusbdev.sys --> C:\Windows\system32\DRIVERS\ewusbdev.sys [?]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 PCDSRVC{127174DC-C366ED8B-06020200}_0;PCDSRVC{127174DC-C366ED8B-06020200}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\PC-Doctor\pcdsrvc_x64.pkms [2011-3-31 25584]
    S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2011-8-8 83304]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
    S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys --> C:\Windows\system32\drivers\synth3dvsc.sys [?]
    S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    SUnknown tsusbhub;tsusbhub; [x]
    .
    =============== Created Last 30 ================
    .
    2012-01-10 15:05:37 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B4CFAAFD-E7F6-43E2-AF5E-C9074FBDCFF8}\offreg.dll
    2012-01-10 15:05:35 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B4CFAAFD-E7F6-43E2-AF5E-C9074FBDCFF8}\mpengine.dll
    2012-01-08 20:13:44 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Malwarebytes
    2012-01-08 20:13:23 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-01-08 20:11:27 -------- d-----w- C:\Program Files\CCleaner
    2012-01-08 18:57:17 35 ----a-w- C:\Users\Administrator\AppData\Roaming\SetValue.bat
    2012-01-08 18:57:17 1365 ---ha-w- C:\Users\Administrator\AppData\Roaming\GetValue.vbs
    2012-01-08 18:57:10 2730 ----a-w- C:\Windows\SysWow64\tmp.reg
    2011-12-25 13:12:18 -------- d--h--w- C:\Users\Administrator\HTC Legend filer
    2011-12-25 12:32:01 -------- d--h--w- C:\Users\Administrator\HTC Hero filer
    2011-12-24 13:48:13 -------- d--h--w- C:\Users\Administrator\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    2011-12-15 02:04:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2011-12-15 02:01:39 3145216 ----a-w- C:\Windows\System32\win32k.sys
    2011-12-15 02:01:36 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2011-12-15 02:01:35 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2011-12-15 02:00:47 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-12-15 02:00:47 2048 ----a-w- C:\Windows\System32\tzres.dll
    .
    ==================== Find3M ====================
    .
    2011-11-21 13:53:46 414368 ---ha-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
    2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
    2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
    2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-05-19 15:38:22 94080 ---ha-w- C:\Program Files (x86)\Install Lightroom 3.exe
    .
    ============= FINISH: 16:16:15,45 ===============
     
  6. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  7. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    I downloaded aswMBR to my desktop but when I try to start it, nothing happens. What should I do?
     
  8. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    Proceed with Bootkit Remover.
     
  9. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    Bootcleaner

    [wrong log]
     
  10. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    Please pay attention.
    I asked for Bootkit Remover log.
     
  11. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    Sorry. I guess I didn't copy it properly the first time. Here it is, anyway

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Enterprise Edition Service Pack 1 (build 7601),
    64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

    • Double click on downloaded file to run it.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will produce a log (FRST.txt) on your desktop.
    • Please copy and paste it to your reply.
     
  13. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.2
    Ran by Administrator at 2012-01-10 21:14:31
    Running from C:\Users\Administrator\Downloads
    Service Pack 1 (X64) OS Language: English(US)
    Attention: Could not load system hive.Fel: Det g†r inte att komma †t filen eftersom den

    anv„nds av en annan process.

    ========================== Registry (Whitelisted) =============

    HKLM\...\Winlogon: [Userinit]
    HKLM-x32\...\Winlogon: [Userinit]
    HKLM\...\Winlogon: [Shell]
    HKLM-x32\...\Winlogon: [Shell] [x x] ()

    ==================== Services (Whitelisted) ======


    ========================== Drivers (Whitelisted) =============


    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============

    2012-01-10 21:14 - 2012-01-10 21:15 - 0000000 ____D C:\FRST
    2012-01-10 21:12 - 2012-01-10 21:12 - 1379209 ____A C:\Users\Administrator\Downloads\FRST64.exe
    2012-01-10 20:37 - 2012-01-10 20:54 - 0057586 ____A C:\Users\Administrator\Desktop\bootkit_remover_debug_log.txt
    2012-01-10 20:12 - 2012-01-10 20:12 - 4713472 ____A (AVAST Software) C:\Users\Administrator\Downloads\aswMBR.exe
    2012-01-10 20:07 - 2011-09-20 03:02 - 0083968 ____A (Esage Lab) C:\Users\Administrator\Desktop\boot_cleaner.exe
    2012-01-10 16:05 - 2012-01-10 16:05 - 0000919 ____A C:\Users\Administrator\Desktop\gmer.log
    2012-01-10 15:23 - 2012-01-10 15:23 - 0607260 ____R (Swearware) C:\Users\Administrator\Desktop\dds.scr
    2012-01-10 15:23 - 2012-01-10 15:23 - 0302592 ____A C:\Users\Administrator\Desktop\2vspwgjb.exe
    2012-01-10 12:21 - 2012-01-10 12:21 - 0013097 ____A C:\Users\Administrator\Documents\Europeiska Unionen diverse.docx
    2012-01-08 22:28 - 2012-01-08 22:29 - 0093782 ____A C:\Windows\ntbtlog.txt
    2012-01-08 21:18 - 2012-01-10 19:43 - 0230157 ____A C:\Windows\WindowsUpdate.log
    2012-01-08 21:16 - 2012-01-10 13:52 - 0000392 ____A C:\Windows\setupact.log
    2012-01-08 21:16 - 2012-01-08 21:16 - 0000790 ____A C:\Windows\PFRO.log
    2012-01-08 21:16 - 2012-01-08 21:16 - 0000000 ____A C:\Windows\setuperr.log
    2012-01-08 21:13 - 2012-01-09 23:14 - 0000000 ____D C:\Users\Administrator\Desktop\Malwarebytes' Anti-Malware
    2012-01-08 21:13 - 2012-01-08 21:13 - 0000000 ____D C:\Users\All Users\Malwarebytes
    2012-01-08 21:13 - 2012-01-08 21:13 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
    2012-01-08 21:13 - 2012-01-08 21:13 - 0000000 ____D C:\ProgramData\Malwarebytes
    2012-01-08 21:11 - 2012-01-08 21:11 - 0000000 ____D C:\Program Files\CCleaner
    2012-01-08 20:42 - 2012-01-08 20:43 - 10847608 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Desktop\mbam-setup-1.60.0.1800.exe
    2012-01-08 19:57 - 2012-01-08 21:05 - 0002730 ____A C:\Windows\SysWOW64\tmp.reg
    2012-01-08 19:57 - 2012-01-08 21:05 - 0001365 ___AH C:\Users\Administrator\AppData\Roaming\GetValue.vbs
    2012-01-08 19:57 - 2012-01-08 21:05 - 0000000 ____A C:\Windows\SysWOW64\tmp.txt
    2012-01-08 19:57 - 2012-01-08 19:57 - 0000035 ____A C:\Users\Administrator\AppData\Roaming\SetValue.bat
    2012-01-08 19:44 - 2012-01-08 21:05 - 0002071 ___AH C:\rapport.txt
    2012-01-08 19:44 - 2009-06-02 11:17 - 0075776 ____A C:\Windows\SysWOW64\WS2Fix.exe
    2012-01-08 19:44 - 2008-12-12 01:57 - 0078336 ____A (S!Ri.URZ) C:\Windows\SysWOW64\Agent.OMZ.Fix.exe
    2012-01-08 19:44 - 2008-11-29 18:58 - 0082944 ____A (S!Ri.URZ) C:\Windows\SysWOW64\IEDFix.C.exe
    2012-01-08 19:44 - 2008-10-01 15:51 - 0087552 ____A (S!Ri.URZ) C:\Windows\SysWOW64\VACFix.exe
    2012-01-08 19:44 - 2008-09-20 12:45 - 0080384 ____A (S!Ri.URZ) C:\Windows\SysWOW64\o4Patch.exe
    2012-01-08 19:44 - 2008-08-18 12:19 - 0082432 ____A (S!Ri.URZ) C:\Windows\SysWOW64\404Fix.exe
    2012-01-08 19:44 - 2008-05-18 21:40 - 0082944 ____A (S!Ri.URZ) C:\Windows\SysWOW64\IEDFix.exe
    2012-01-08 19:44 - 2007-09-06 00:22 - 0289144 ____A (S!Ri) C:\Windows\SysWOW64\VCCLSID.exe
    2012-01-08 19:44 - 2006-12-01 06:20 - 0079360 ____A (SteelWerX) C:\Windows\SysWOW64\swxcacls.exe
    2012-01-08 19:44 - 2006-08-29 19:43 - 0135168 ____A (SteelWerX) C:\Windows\SysWOW64\swreg.exe
    2012-01-08 19:44 - 2006-04-27 17:49 - 0288417 ____A (S!Ri) C:\Windows\SysWOW64\SrchSTS.exe
    2012-01-08 19:44 - 2006-01-09 10:36 - 0040960 ____A C:\Windows\SysWOW64\swsc.exe
    2012-01-08 19:44 - 2004-07-31 18:50 - 0051200 ____A C:\Windows\SysWOW64\dumphive.exe
    2012-01-08 19:44 - 2003-06-05 21:13 - 0053248 ____A (http://www.beyondlogic.org) C:\Windows\SysWOW64\Process.exe
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000659 ___AH C:\Users\Administrator\Desktop\System Check.lnk
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000336 ___AH C:\Users\All Users\kjN9GDvyQPgqh5
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000336 ___AH C:\ProgramData\kjN9GDvyQPgqh5
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000296 ___AH C:\Users\All Users\~kjN9GDvyQPgqh5
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000296 ___AH C:\ProgramData\~kjN9GDvyQPgqh5
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000200 ___AH C:\Users\All Users\~kjN9GDvyQPgqh5r
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000200 ___AH C:\ProgramData\~kjN9GDvyQPgqh5r
    2011-12-25 23:00 - 2011-12-25 23:00 - 0302302 ___AH C:\Users\Administrator\Desktop\whistler2.jpg
    2011-12-25 23:00 - 2011-12-25 23:00 - 0001456 ___AH C:\Users\Administrator\AppData\Local\Adobe Save for Web 12.0 Prefs
    2011-12-25 22:47 - 2011-12-25 22:47 - 0511231 ___AH C:\Users\Administrator\Desktop\whistler.jpg
    2011-12-25 14:12 - 2011-12-25 14:13 - 0000000 ___HD C:\Users\Administrator\HTC Legend filer
    2011-12-25 13:32 - 2011-12-25 13:53 - 0000000 ___HD C:\Users\Administrator\HTC Hero filer
    2011-12-24 14:48 - 2011-12-24 14:48 - 0000000 ___HD C:\Users\Administrator\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    2011-12-24 14:27 - 2011-12-24 14:27 - 0030272 ___AH C:\Users\Administrator\Documents\AssessmentPresentingGroup.docx
    2011-12-24 14:27 - 2011-12-24 14:27 - 0025627 ___AH C:\Users\Administrator\Documents\AssessmentReviewGroup.docx
    2011-12-21 09:14 - 2011-12-21 09:14 - 0013023 ___AH C:\Users\Administrator\Downloads\Questions for the Arabic spring.docx
    2011-12-20 09:09 - 2011-12-20 09:09 - 0015482 ___AH C:\Users\Administrator\Documents\USA inför seminarie.docx
    2011-12-16 15:20 - 2011-12-16 15:41 - 0242193 ___AH C:\Users\Administrator\Documents\Rough Draft thursday efter Ann efter nationella i slutet av dagen.docx
    2011-12-16 12:49 - 2011-12-16 12:49 - 0030020 ___AH C:\Users\Administrator\Documents\Rough Draft thursday efter Ann efter nationella.docx
    2011-12-16 12:02 - 2011-12-16 12:02 - 0029422 ___AH C:\Users\Administrator\Documents\Rough Draft thursday efter Ann.docx
    2011-12-15 14:19 - 2011-12-15 14:19 - 0015464 ___AH C:\Users\Administrator\Documents\Different media sources have different opinions.docx
    2011-12-15 14:18 - 2011-12-16 10:57 - 0029405 ___AH C:\Users\Administrator\Documents\Rough Draft thursday.docx
    2011-12-15 03:04 - 2011-10-26 06:21 - 0043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
    2011-12-15 03:03 - 2011-11-04 02:46 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2011-12-15 03:03 - 2011-11-04 02:43 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2011-12-15 03:03 - 2011-11-04 02:36 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2011-12-15 03:03 - 2011-11-04 02:35 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2011-12-15 03:03 - 2011-11-04 02:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2011-12-15 03:03 - 2011-11-03 23:40 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2011-12-15 03:03 - 2011-11-03 23:38 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2011-12-15 03:03 - 2011-11-03 23:32 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2011-12-15 03:03 - 2011-11-03 23:32 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2011-12-15 03:03 - 2011-11-03 23:31 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2011-12-15 03:02 - 2011-11-04 03:38 - 17786368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2011-12-15 03:02 - 2011-11-04 02:59 - 10886656 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2011-12-15 03:02 - 2011-11-04 02:53 - 2309120 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2011-12-15 03:02 - 2011-11-04 02:44 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2011-12-15 03:02 - 2011-11-04 02:44 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2011-12-15 03:02 - 2011-11-04 02:41 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2011-12-15 03:02 - 2011-11-04 02:39 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2011-12-15 03:02 - 2011-11-04 02:30 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2011-12-15 03:02 - 2011-11-04 00:02 - 12279808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2011-12-15 03:02 - 2011-11-03 23:47 - 1798144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2011-12-15 03:02 - 2011-11-03 23:46 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2011-12-15 03:02 - 2011-11-03 23:40 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2011-12-15 03:02 - 2011-11-03 23:39 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2011-12-15 03:02 - 2011-11-03 23:37 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2011-12-15 03:02 - 2011-11-03 23:34 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2011-12-15 03:02 - 2011-11-03 23:28 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2011-12-15 03:01 - 2011-11-24 05:52 - 3145216 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2011-12-15 03:01 - 2011-10-15 07:31 - 0723456 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
    2011-12-15 03:01 - 2011-10-15 06:38 - 0534528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
    2011-12-15 03:00 - 2011-11-05 06:32 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
    2011-12-15 03:00 - 2011-11-05 05:26 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
    2011-12-13 12:15 - 2011-12-13 12:15 - 0014101 ___AH C:\Users\Administrator\Documents\Introduction final essay.docx
    2011-12-13 10:26 - 2011-12-13 10:26 - 0014013 ___AH C:\Users\Administrator\Documents\Final Essay.docx
    2011-12-12 11:40 - 2011-12-13 09:52 - 0017352 ___AH C:\Users\Administrator\Documents\Annotated list of sources.docx
    2011-12-12 09:36 - 2011-12-12 09:36 - 0020320 ___AH C:\Users\Administrator\Documents\Digital media analysis.docx
    2011-12-12 09:34 - 2011-12-12 09:34 - 0016594 ___AH C:\Users\Administrator\Downloads\Digital media analysis.docx

    ============ 3 Months Modified Files and Folders =============

    2012-01-10 21:15 - 2012-01-10 21:14 - 0000000 ____D C:\FRST
    2012-01-10 21:15 - 2011-09-02 14:36 - 0000000 ___HD C:\Users\Administrator\AppData\Local\PMB Files
    2012-01-10 21:14 - 2011-08-08 14:26 - 0000528 ___AH C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    2012-01-10 21:12 - 2012-01-10 21:12 - 1379209 ____A C:\Users\Administrator\Downloads\FRST64.exe
    2012-01-10 21:12 - 2011-08-08 14:26 - 0000466 ___AH C:\Windows\Tasks\SystemToolsDailyTest.job
    2012-01-10 20:54 - 2012-01-10 20:37 - 0057586 ____A C:\Users\Administrator\Desktop\bootkit_remover_debug_log.txt
    2012-01-10 20:39 - 2011-09-05 19:36 - 0001302 ___AH C:\Users\Administrator\Start Menu\Programs\Startup\Skärmurklipp och start för OneNote 2010.lnk
    2012-01-10 20:39 - 2011-09-05 19:36 - 0001302 ___AH C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skärmurklipp och start för OneNote 2010.lnk
    2012-01-10 20:28 - 2011-09-29 12:16 - 0001036 ___AH C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1710067825-1136283663-2566881455-500UA.job
    2012-01-10 20:15 - 2011-09-02 14:29 - 0000000 ___HD C:\Program Files (x86)\Mozilla Firefox
    2012-01-10 20:12 - 2012-01-10 20:12 - 4713472 ____A (AVAST Software) C:\Users\Administrator\Downloads\aswMBR.exe
    2012-01-10 19:43 - 2012-01-08 21:18 - 0230157 ____A C:\Windows\WindowsUpdate.log
    2012-01-10 18:26 - 2011-10-20 21:03 - 0000960 ___AH C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1710067825-1136283663-2566881455-500UA.job
    2012-01-10 18:13 - 2011-08-09 00:00 - 0622356 ____A C:\Windows\System32\perfh01D.dat
    2012-01-10 18:13 - 2011-08-09 00:00 - 0122902 ____A C:\Windows\System32\perfc01D.dat
    2012-01-10 18:13 - 2009-07-14 06:13 - 1457064 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-01-10 16:05 - 2012-01-10 16:05 - 0000919 ____A C:\Users\Administrator\Desktop\gmer.log
    2012-01-10 15:26 - 2011-10-20 21:03 - 0000938 ___AH C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1710067825-1136283663-2566881455-500Core.job
    2012-01-10 15:23 - 2012-01-10 15:23 - 0607260 ____R (Swearware) C:\Users\Administrator\Desktop\dds.scr
    2012-01-10 15:23 - 2012-01-10 15:23 - 0302592 ____A C:\Users\Administrator\Desktop\2vspwgjb.exe
    2012-01-10 14:28 - 2011-09-29 12:16 - 0000984 ___AH C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1710067825-1136283663-2566881455-500Core.job
    2012-01-10 13:59 - 2009-07-14 05:45 - 0021984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-01-10 13:59 - 2009-07-14 05:45 - 0021984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-01-10 13:52 - 2012-01-08 21:16 - 0000392 ____A C:\Windows\setupact.log
    2012-01-10 13:52 - 2011-08-08 23:02 - 3132542976 __ASH C:\hiberfil.sys
    2012-01-10 13:52 - 2009-07-14 06:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-01-10 12:21 - 2012-01-10 12:21 - 0013097 ____A C:\Users\Administrator\Documents\Europeiska Unionen diverse.docx
    2012-01-09 23:14 - 2012-01-08 21:13 - 0000000 ____D C:\Users\Administrator\Desktop\Malwarebytes' Anti-Malware
    2012-01-09 16:39 - 2011-08-08 14:07 - 0000000 __SHD C:\Recovery
    2012-01-09 16:16 - 2009-07-14 06:32 - 0000000 ____D C:\Windows\System32\restore
    2012-01-08 22:29 - 2012-01-08 22:28 - 0093782 ____A C:\Windows\ntbtlog.txt
    2012-01-08 22:06 - 2011-09-02 18:15 - 0000000 ___HD C:\Users\Administrator\AppData\Roaming\Spotify
    2012-01-08 22:02 - 2011-09-02 18:15 - 0000000 ___HD C:\Users\Administrator\AppData\Local\Spotify
    2012-01-08 21:16 - 2012-01-08 21:16 - 0000790 ____A C:\Windows\PFRO.log
    2012-01-08 21:16 - 2012-01-08 21:16 - 0000000 ____A C:\Windows\setuperr.log
    2012-01-08 21:13 - 2012-01-08 21:13 - 0000000 ____D C:\Users\All Users\Malwarebytes
    2012-01-08 21:13 - 2012-01-08 21:13 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
    2012-01-08 21:13 - 2012-01-08 21:13 - 0000000 ____D C:\ProgramData\Malwarebytes
    2012-01-08 21:12 - 2011-09-02 18:28 - 0000000 ___HD C:\Users\Administrator\AppData\Roaming\uTorrent
    2012-01-08 21:12 - 2011-09-02 18:20 - 0000000 ___HD C:\Users\Administrator\AppData\Roaming\Skype
    2012-01-08 21:12 - 2011-08-09 00:01 - 0000000 ___HD C:\Windows\Panther
    2012-01-08 21:11 - 2012-01-08 21:11 - 0000000 ____D C:\Program Files\CCleaner
    2012-01-08 21:05 - 2012-01-08 19:57 - 0002730 ____A C:\Windows\SysWOW64\tmp.reg
    2012-01-08 21:05 - 2012-01-08 19:57 - 0001365 ___AH C:\Users\Administrator\AppData\Roaming\GetValue.vbs
    2012-01-08 21:05 - 2012-01-08 19:57 - 0000000 ____A C:\Windows\SysWOW64\tmp.txt
    2012-01-08 21:05 - 2012-01-08 19:44 - 0002071 ___AH C:\rapport.txt
    2012-01-08 21:05 - 2011-09-07 20:57 - 0001206 ____A C:\Windows\System32\Drivers\etc\hosts
    2012-01-08 20:43 - 2012-01-08 20:42 - 10847608 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Desktop\mbam-setup-1.60.0.1800.exe
    2012-01-08 20:38 - 2009-07-14 04:20 - 0000000 ____D C:\Windows\System32\NDF
    2012-01-08 19:57 - 2012-01-08 19:57 - 0000035 ____A C:\Users\Administrator\AppData\Roaming\SetValue.bat
    2012-01-08 19:33 - 2011-09-02 14:36 - 0000000 ___HD C:\Users\All Users\PMB Files
    2012-01-08 19:33 - 2011-09-02 14:36 - 0000000 ___HD C:\ProgramData\PMB Files
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000659 ___AH C:\Users\Administrator\Desktop\System Check.lnk
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000336 ___AH C:\Users\All Users\kjN9GDvyQPgqh5
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000336 ___AH C:\ProgramData\kjN9GDvyQPgqh5
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000296 ___AH C:\Users\All Users\~kjN9GDvyQPgqh5
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000296 ___AH C:\ProgramData\~kjN9GDvyQPgqh5
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000200 ___AH C:\Users\All Users\~kjN9GDvyQPgqh5r
    2012-01-08 19:13 - 2012-01-08 19:13 - 0000200 ___AH C:\ProgramData\~kjN9GDvyQPgqh5r
    2012-01-08 00:30 - 2011-09-29 12:17 - 0002445 ___AH C:\Users\Administrator\Desktop\Google Chrome.lnk
    2011-12-25 23:00 - 2011-12-25 23:00 - 0302302 ___AH C:\Users\Administrator\Desktop\whistler2.jpg
    2011-12-25 23:00 - 2011-12-25 23:00 - 0001456 ___AH C:\Users\Administrator\AppData\Local\Adobe Save for Web 12.0 Prefs
    2011-12-25 22:58 - 2011-09-02 18:04 - 0000000 ___HD C:\Users\Administrator\AppData\Roaming\Adobe
    2011-12-25 22:47 - 2011-12-25 22:47 - 0511231 ___AH C:\Users\Administrator\Desktop\whistler.jpg
    2011-12-25 14:13 - 2011-12-25 14:12 - 0000000 ___HD C:\Users\Administrator\HTC Legend filer
    2011-12-25 14:12 - 2011-08-08 14:07 - 0000000 ___HD C:\users\Administrator
    2011-12-25 13:53 - 2011-12-25 13:32 - 0000000 ___HD C:\Users\Administrator\HTC Hero filer
    2011-12-25 13:52 - 2011-09-03 17:38 - 0000000 ___HD C:\Users\Administrator\AppData\Roaming\vlc
    2011-12-24 14:48 - 2011-12-24 14:48 - 0000000 ___HD C:\Users\Administrator\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    2011-12-24 14:27 - 2011-12-24 14:27 - 0030272 ___AH C:\Users\Administrator\Documents\AssessmentPresentingGroup.docx
    2011-12-24 14:27 - 2011-12-24 14:27 - 0025627 ___AH C:\Users\Administrator\Documents\AssessmentReviewGroup.docx
    2011-12-21 09:14 - 2011-12-21 09:14 - 0013023 ___AH C:\Users\Administrator\Downloads\Questions for the Arabic spring.docx
    2011-12-20 09:09 - 2011-12-20 09:09 - 0015482 ___AH C:\Users\Administrator\Documents\USA inför seminarie.docx
    2011-12-16 15:41 - 2011-12-16 15:20 - 0242193 ___AH C:\Users\Administrator\Documents\Rough Draft thursday efter Ann efter nationella i slutet av dagen.docx
    2011-12-16 12:49 - 2011-12-16 12:49 - 0030020 ___AH C:\Users\Administrator\Documents\Rough Draft thursday efter Ann efter nationella.docx
    2011-12-16 12:02 - 2011-12-16 12:02 - 0029422 ___AH C:\Users\Administrator\Documents\Rough Draft thursday efter Ann.docx
    2011-12-16 10:57 - 2011-12-15 14:18 - 0029405 ___AH C:\Users\Administrator\Documents\Rough Draft thursday.docx
    2011-12-15 14:19 - 2011-12-15 14:19 - 0015464 ___AH C:\Users\Administrator\Documents\Different media sources have different opinions.docx
    2011-12-15 13:12 - 2011-08-08 14:26 - 0000000 ___HD C:\Users\All Users\Microsoft Help
    2011-12-15 13:12 - 2011-08-08 14:26 - 0000000 ___HD C:\ProgramData\Microsoft Help
    2011-12-15 04:03 - 2009-07-14 04:20 - 0000000 ____D C:\Windows\rescache
    2011-12-15 03:25 - 2009-07-14 05:45 - 4968776 ____A C:\Windows\System32\FNTCACHE.DAT
    2011-12-15 03:05 - 2011-08-08 14:14 - 54867776 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2011-12-15 03:01 - 2009-07-14 04:20 - 0000000 ___HD C:\Windows\SysWOW64\sv-SE
    2011-12-15 03:01 - 2009-07-14 04:20 - 0000000 ____D C:\Windows\System32\sv-SE
    2011-12-13 12:15 - 2011-12-13 12:15 - 0014101 ___AH C:\Users\Administrator\Documents\Introduction final essay.docx
    2011-12-13 10:26 - 2011-12-13 10:26 - 0014013 ___AH C:\Users\Administrator\Documents\Final Essay.docx
    2011-12-13 09:52 - 2011-12-12 11:40 - 0017352 ___AH C:\Users\Administrator\Documents\Annotated list of sources.docx
    2011-12-12 09:36 - 2011-12-12 09:36 - 0020320 ___AH C:\Users\Administrator\Documents\Digital media analysis.docx
    2011-12-12 09:34 - 2011-12-12 09:34 - 0016594 ___AH C:\Users\Administrator\Downloads\Digital media analysis.docx
    2011-12-12 09:04 - 2011-09-06 10:40 - 0000000 ___HD C:\Users\Administrator\AppData\Local\ElevatedDiagnostics
    2011-12-09 01:09 - 2011-12-09 00:16 - 0019129 ___AH C:\Users\Administrator\Documents\Analysis of The Graduate.docx
    2011-12-08 18:12 - 2011-12-08 18:12 - 0020566 ___AH C:\Users\Administrator\Downloads\homework assignment of film and lyrics analysis.docx
    2011-12-08 09:30 - 2011-09-06 12:31 - 1474930 ___AH C:\Windows\SysWOW64\PerfStringBackup.INI
    2011-12-06 14:53 - 2011-09-02 18:19 - 0000000 __RHD C:\Program Files (x86)\Skype
    2011-12-06 14:53 - 2011-09-02 18:19 - 0000000 ___HD C:\Users\All Users\Skype
    2011-12-06 14:53 - 2011-09-02 18:19 - 0000000 ___HD C:\ProgramData\Skype
    2011-12-02 12:54 - 2011-12-02 12:42 - 0029304 ___AH C:\Users\Administrator\Documents\USA ebbas och emils del.docx
    2011-12-02 12:41 - 2011-12-02 12:41 - 0029189 ___AH C:\Users\Administrator\Downloads\USA ebbas och emils del.docx
    2011-12-02 12:06 - 2011-12-02 12:06 - 0025490 ___AH C:\Users\Administrator\Documents\USA emils bba del.docx
    2011-12-01 12:51 - 2011-12-01 12:51 - 0030892 ___AH C:\Users\Administrator\Downloads\USA ebbas del.docx
    2011-12-01 12:35 - 2011-12-01 12:35 - 0031014 ___AH C:\Users\Administrator\Downloads\USA.docx
    2011-12-01 11:17 - 2011-12-01 11:17 - 0035888 ___AH C:\Users\Administrator\Documents\Idrottsprov ps.docx
    2011-12-01 10:59 - 2011-09-02 18:15 - 0000000 ___HD C:\Program Files (x86)\Spotify
    2011-11-30 15:01 - 2009-07-14 04:18 - 0000000 __SHD C:\$Recycle.Bin
    2011-11-30 11:10 - 2011-11-30 11:10 - 0015181 ___AH C:\Users\Administrator\Documents\Sourcing.docx
    2011-11-30 08:33 - 2011-11-29 22:43 - 0000000 ___HD C:\Users\All Users\CPA_VA
    2011-11-30 08:33 - 2011-11-29 22:43 - 0000000 ___HD C:\ProgramData\CPA_VA
    2011-11-29 22:41 - 2011-09-06 12:59 - 0000000 ___HD C:\Users\Public\Documents\COMODO
    2011-11-29 12:17 - 2011-11-29 12:16 - 0025490 ___AH C:\Users\Administrator\Documents\USA emils del.docx
    2011-11-29 12:03 - 2011-11-22 10:21 - 0025237 ___AH C:\Users\Administrator\Documents\USA med 2 o 3.docx
    2011-11-29 10:22 - 2011-11-29 10:22 - 0016296 ___AH C:\Users\Administrator\Downloads\Jämförande Politik Uppsats.docx
    2011-11-27 23:18 - 2011-11-27 23:18 - 0031232 ___AH C:\Users\Administrator\Documents\Tränarräkning.xls
    2011-11-25 11:14 - 2011-11-25 11:14 - 0013746 ___AH C:\Users\Administrator\Documents\Dikt maskrosen.docx
    2011-11-24 05:52 - 2011-12-15 03:01 - 3145216 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2011-11-22 10:10 - 2011-11-22 10:10 - 0000162 ___AH C:\Users\Administrator\Documents\~$A Fakta.docx
    2011-11-21 14:53 - 2011-09-02 18:04 - 0414368 ___AH (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2011-11-18 14:52 - 2011-08-09 07:20 - 0000000 ___HD C:\Program Files (x86)\Microsoft Silverlight
    2011-11-18 11:13 - 2011-11-18 11:13 - 0013674 ___AH C:\Users\Administrator\Documents\Kärlek.docx
    2011-11-18 08:49 - 2011-11-18 08:49 - 0018059 ___AH C:\Users\Administrator\Documents\Bokanalys av Emil E.docx
    2011-11-18 08:28 - 2011-10-20 21:03 - 0000000 ___HD C:\Users\Administrator\AppData\Local\Facebook
    2011-11-15 12:22 - 2011-11-15 12:07 - 0016357 ___AH C:\Users\Administrator\Documents\USA Fakta.docx
    2011-11-14 14:54 - 2011-08-08 14:26 - 0000000 ___HD C:\Users\All Users\PCDr
    2011-11-14 14:54 - 2011-08-08 14:26 - 0000000 ___HD C:\ProgramData\PCDr
    2011-11-14 14:53 - 2011-11-14 14:53 - 0000000 ____D C:\Windows\System32\Macromed
    2011-11-11 09:34 - 2011-11-02 18:07 - 0000000 ___HD C:\Users\Administrator\Documents\StarCraft II
    2011-11-11 09:34 - 2011-11-02 18:07 - 0000000 ___HD C:\Program Files (x86)\StarCraft II
    2011-11-11 09:27 - 2011-11-11 09:23 - 0000000 ___HD C:\Program Files (x86)\Mobile Partner
    2011-11-10 20:39 - 2009-07-14 04:20 - 0000000 ___HD C:\Program Files\Common Files\System
    2011-11-09 17:55 - 2011-11-09 17:55 - 0036756 ___AH C:\Users\Administrator\Downloads\How I Met Your Mother - 07x09 - Disaster Averted.LOL.French.C.updated.Addic7ed.com.srt
    2011-11-09 12:54 - 2011-11-09 00:01 - 0017218 ___AH C:\Users\Administrator\Documents\The Bahamas.docx
    2011-11-09 00:01 - 2011-11-09 00:01 - 8365966 ___AH C:\Users\Administrator\Documents\Bahamas PP.pptx
    2011-11-08 11:40 - 2011-11-08 11:40 - 0000500 ___AH C:\Users\Administrator\Documents\Houseofrisingsun.tef
    2011-11-08 11:40 - 2011-11-03 18:04 - 0000103 ___AH C:\Users\Administrator\Documents\TEtmp.rcl
    2011-11-08 11:40 - 2011-11-03 17:29 - 0002092 ___AH C:\Windows\tabled32.ini
    2011-11-07 15:58 - 2011-11-07 15:58 - 0020183 ___AH C:\Users\Administrator\Documents\colgando en tus manos.docx
    2011-11-07 15:15 - 2011-11-07 15:15 - 0493520 ___AH (Facebook Inc.) C:\Users\Administrator\Downloads\FacebookVideoCallSetup_v1.2.203.0(4).exe
    2011-11-05 06:32 - 2011-12-15 03:00 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
    2011-11-05 05:26 - 2011-12-15 03:00 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
    2011-11-04 03:38 - 2011-12-15 03:02 - 17786368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2011-11-04 02:59 - 2011-12-15 03:02 - 10886656 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2011-11-04 02:53 - 2011-12-15 03:02 - 2309120 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2011-11-04 02:46 - 2011-12-15 03:03 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2011-11-04 02:44 - 2011-12-15 03:02 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2011-11-04 02:44 - 2011-12-15 03:02 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2011-11-04 02:43 - 2011-12-15 03:03 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2011-11-04 02:41 - 2011-12-15 03:02 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2011-11-04 02:39 - 2011-12-15 03:02 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2011-11-04 02:36 - 2011-12-15 03:03 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2011-11-04 02:35 - 2011-12-15 03:03 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2011-11-04 02:34 - 2011-12-15 03:03 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2011-11-04 02:30 - 2011-12-15 03:02 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2011-11-04 00:02 - 2011-12-15 03:02 - 12279808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2011-11-03 23:47 - 2011-12-15 03:02 - 1798144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2011-11-03 23:46 - 2011-12-15 03:02 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2011-11-03 23:40 - 2011-12-15 03:03 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2011-11-03 23:40 - 2011-12-15 03:02 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2011-11-03 23:39 - 2011-12-15 03:02 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2011-11-03 23:38 - 2011-12-15 03:03 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2011-11-03 23:37 - 2011-12-15 03:02 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2011-11-03 23:34 - 2011-12-15 03:02 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2011-11-03 23:32 - 2011-12-15 03:03 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2011-11-03 23:32 - 2011-12-15 03:03 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2011-11-03 23:31 - 2011-12-15 03:03 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2011-11-03 23:28 - 2011-12-15 03:02 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2011-11-03 18:46 - 2011-09-04 14:42 - 0000000 ___HD C:\Users\Administrator\riotsGamesLogs
    2011-11-03 18:04 - 2011-11-03 18:04 - 0000980 ___AH C:\Users\Administrator\Documents\Emils tab.tef
    2011-11-03 17:53 - 2011-11-03 17:53 - 0001744 ___AH C:\Users\Administrator\Documents\Radical Monkey.txt
    2011-11-03 17:43 - 2011-11-03 17:43 - 0003960 ___AH C:\Users\Administrator\Documents\Emils visa.txt
    2011-11-03 17:43 - 2011-11-03 17:39 - 0003960 ___AH C:\Users\Administrator\Documents\The song.abc
    2011-11-03 17:39 - 2011-11-03 17:39 - 0001252 ___AH C:\Users\Administrator\Documents\The real song Midi.mid
    2011-11-03 17:29 - 2011-08-08 14:32 - 0109608 ___AH C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
    2011-11-03 17:28 - 2011-11-03 17:28 - 0621392 ___AH (TablEdit ) C:\Users\Administrator\Downloads\tabled32.exe
    2011-11-03 17:28 - 2011-11-03 17:28 - 0000949 ___AH C:\Users\Administrator\Desktop\TablEdit.lnk
    2011-11-03 17:28 - 2011-11-03 17:28 - 0000000 ___HD C:\Program Files (x86)\TablEdit
    2011-11-03 17:23 - 2011-11-03 17:16 - 0000000 ___HD C:\Users\Administrator\.yawcam
    2011-11-03 17:16 - 2011-11-03 17:16 - 0001869 ___AH C:\Users\Administrator\Desktop\Yawcam.lnk
    2011-11-03 17:16 - 2011-11-03 17:16 - 0000000 ___HD C:\Program Files (x86)\Yawcam
    2011-11-03 17:14 - 2011-11-03 17:14 - 4491651 ___AH (Magnus Lundvall ) C:\Users\Administrator\Downloads\yawcam_install.exe
    2011-11-02 19:44 - 2011-11-02 18:07 - 0000000 ___HD C:\Users\All Users\Blizzard Entertainment
    2011-11-02 19:44 - 2011-11-02 18:07 - 0000000 ___HD C:\ProgramData\Blizzard Entertainment
    2011-11-02 15:34 - 2011-11-01 22:50 - 0000000 ___HD C:\Users\Administrator\SC2-WingsOfLiberty-enGB-Installer
    2011-11-01 22:50 - 2011-11-01 22:50 - 3223726 ___AH (Blizzard Entertainment) C:\Users\Administrator\Downloads\StarCraft_2_EU_en-GB.exe
    2011-10-28 09:39 - 2011-10-28 08:37 - 0018942 ___AH C:\Users\Administrator\Documents\Passa in eller sticka ut.docx
    2011-10-28 07:34 - 2011-08-08 14:08 - 0000174 ___SH C:\Users\Administrator\Start Menu\Programs\Startup\desktop.ini
    2011-10-28 07:34 - 2011-08-08 14:08 - 0000174 ___SH C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
    2011-10-26 11:56 - 2009-07-14 06:08 - 0032636 ___AH C:\Windows\Tasks\SCHEDLGU.TXT
    2011-10-26 10:14 - 2011-10-26 10:14 - 0017260 ___AH C:\Users\Administrator\Documents\The Pink Umbella edited.docx
    2011-10-26 06:21 - 2011-12-15 03:04 - 0043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
    2011-10-25 10:25 - 2011-10-11 11:25 - 0068539 ___AH C:\Users\Administrator\Documents\Sveriges styrelsesätt.pptx
    2011-10-22 00:02 - 2011-10-22 00:02 - 2182024 ___AH C:\Users\Administrator\Downloads\DSC_4757.jpg
    2011-10-21 23:31 - 2011-10-21 23:31 - 7426206 ___AH C:\Users\Administrator\Downloads\DSC_3913.jpg
    2011-10-21 23:24 - 2011-10-21 23:24 - 0252043 ___AH C:\Users\Administrator\Downloads\6241411749_aa0a2070f6_b.jpg
    2011-10-21 07:53 - 2011-10-21 07:53 - 0493520 ___AH (Facebook Inc.) C:\Users\Administrator\Downloads\FacebookVideoCallSetup_v1.2.203.0(3).exe
    2011-10-21 07:46 - 2011-10-21 07:46 - 0493520 ___AH (Facebook Inc.) C:\Users\Administrator\Downloads\FacebookVideoCallSetup_v1.2.203.0(2).exe
    2011-10-20 21:32 - 2011-10-20 21:32 - 0493520 ___AH (Facebook Inc.) C:\Users\Administrator\Downloads\FacebookVideoCallSetup_v1.2.203.0 (5).exe
    2011-10-20 21:32 - 2011-10-20 21:32 - 0493520 ___AH (Facebook Inc.) C:\Users\Administrator\Downloads\FacebookVideoCallSetup_v1.2.203.0 (4).exe
    2011-10-20 21:10 - 2011-10-20 21:10 - 0493520 ___AH (Facebook Inc.) C:\Users\Administrator\Downloads\FacebookVideoCallSetup_v1.2.203.0 (3).exe
    2011-10-20 21:09 - 2011-10-20 21:09 - 0493520 ___AH (Facebook Inc.) C:\Users\Administrator\Downloads\FacebookVideoCallSetup_v1.2.203.0 (2).exe
    2011-10-20 21:08 - 2011-10-20 21:08 - 0493520 ___AH (Facebook Inc.) C:\Users\Administrator\Downloads\FacebookVideoCallSetup_v1.2.203.0 (1).exe
    2011-10-20 21:03 - 2011-10-20 21:03 - 0493520 ___AH (Facebook Inc.) C:\Users\Administrator\Downloads\FacebookVideoCallSetup_v1.2.203.0(1).exe
    2011-10-20 21:02 - 2011-10-20 21:02 - 0493520 ___AH (Facebook Inc.) C:\Users\Administrator\Downloads\FacebookVideoCallSetup_v1.2.203.0.exe
    2011-10-15 07:31 - 2011-12-15 03:01 - 0723456 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
    2011-10-15 06:38 - 2011-12-15 03:01 - 0534528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
    2011-10-13 14:13 - 2011-10-13 14:13 - 0273510 ___AH C:\Users\Administrator\Downloads\285957_10150262238244370_673164369_7925424_3913960_o.jpg

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit

    C:\Windows\System32\wininit.exe => MD5 is legit

    C:\Windows\explorer.exe => MD5 is legit

    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ========================= Memory info ======================

    Percentage of memory in use: 51%
    Total physical RAM: 3983.23 MB
    Available physical RAM: 1926.71 MB
    Total Pagefile: 7964.66 MB
    Available Pagefile: 5770.74 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.86 MB

    ======================= Partitions =========================

    1 Drive c: (OSDisk) (Fixed) (Total:297.79 GB) (Free:239.38 GB) NTFS

    Disk nr Status Storlek Ledigt Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk nr 0 Online 298 G B 0 B

    DiskPart avslutas...

    Partitions of Disk Disk nr Status Storlek Ledigt Dyn Gpt:
    ===============

    Argumenten som angetts f”r kommandot „r inte giltiga.
    Om du vill ha mer information om kommandot skriver du: HELP SELECT DISK

    Ingen disk har valts.

    Partitions of Disk Disk nr 0 Online 298 G B 0 B :
    ===============

    Argumenten som angetts f”r kommandot „r inte giltiga.
    Om du vill ha mer information om kommandot skriver du: HELP SELECT DISK

    Ingen disk har valts.
    ==========================================================

    Last Boot: 2012-01-10 14:12

    ======================= End Of Log ==========================
     
  14. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    That looks good.

    Download the FixTDSS.exe

    Save the file to your Windows desktop.
    Close all running programs.
    If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
    Double-click the FixTDSS.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.
    OK any security prompts.
    Restart the computer when prompted by the tool.
    After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
    If you are running Windows XP, re-enable System Restore.
     
  15. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    When the system rebooted, the TDSS Tool said "***Infected MBR detected"
    It has an option to "Repair" or "Close". I haven't chosen any and the window is still open while I wait for your response. Additionally, Microsoft Security Essentials popped up saying "1 potential threat found". I didn't choose to "Fix now", I just left it.
    What should I do? Very thankful for your help.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    Click "Repair".
    Disregard MSE warning as I don't know what it says.
    Restart and post new Bootkit Remover log.
     
  17. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    Okay, some things happened now. First, while I was waiting for a response, I had a bluescreen. I didn't get the chance to click repair. Upon rebooting, the internet connection doesn't work (it says network connection missing. I'm using wireless.) When I saw your reply on my other computer, I ran the Fix TDSS again, although this time when rebooting, it says "Suspicious use of kernel callback but MBR appears intact. Repair not done. No infections were found"

    I ran the bootkit remover again, and unfortunately I can't post the log since I don't have any internet connection, but it appears to say exactly the same thing as last time I ran it.
     
  18. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  19. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    I downloaded ComboFix to my other computer and copied it to my laptop (infected one) and ran the program. It worked and started scannning, but just as the result came up, it crashed and a bluescreen appeared, and the computer rebooted. I don't know if any logs were saved. What should I do? Oh, and I did as told, I deactivated the anti-virus programs before starting.
     
  20. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    Try to re-run it from safe mode.
     
  21. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    I re-ran it from safe mode, and it worked. I recieved a log, which I will post here. I should also tell that when I started the computer in normal mode again, all the hidden files were back.

    ComboFix 12-01-10.02 - Administrator 2012-01-10 23:58:53.2.4 - x64 MINIMAL
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.46.1033.18.3983.2919 [GMT 1:00]
    Körs från: c:\users\Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    FW: COMODO Firewall *Disabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
    SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Skapade en ny återställningspunkt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
    c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
    c:\users\Administrator\Desktop\System Check.lnk
    c:\windows\SysWow64\404Fix.exe
    c:\windows\SysWow64\Agent.OMZ.Fix.exe
    c:\windows\SysWow64\dumphive.exe
    c:\windows\SysWow64\IEDFix.C.exe
    c:\windows\SysWow64\IEDFix.exe
    c:\windows\SysWow64\o4Patch.exe
    c:\windows\SysWow64\Process.exe
    c:\windows\SysWow64\SrchSTS.exe
    c:\windows\SysWow64\tmp.reg
    c:\windows\SysWow64\VACFix.exe
    c:\windows\SysWow64\VCCLSID.exe
    c:\windows\SysWow64\WS2Fix.exe
    .
    .
    (((((((((((((((((((((((( Filer skapade från 2011-12-10 till 2012-01-10 ))))))))))))))))))))))))))))))
    .
    .
    2012-01-10 23:34 . 2012-01-10 23:34 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-10 22:48 . 2012-01-10 22:48 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B4CFAAFD-E7F6-43E2-AF5E-C9074FBDCFF8}\offreg.dll
    2012-01-10 20:14 . 2012-01-10 20:16 -------- d-----w- C:\FRST
    2012-01-10 15:05 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B4CFAAFD-E7F6-43E2-AF5E-C9074FBDCFF8}\mpengine.dll
    2012-01-08 20:13 . 2012-01-08 20:13 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
    2012-01-08 20:13 . 2012-01-08 20:13 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-08 20:11 . 2012-01-08 20:11 -------- d-----w- c:\program files\CCleaner
    2012-01-08 18:57 . 2012-01-08 20:05 1365 ---ha-w- c:\users\Administrator\AppData\Roaming\GetValue.vbs
    2012-01-08 18:57 . 2012-01-08 18:57 35 ----a-w- c:\users\Administrator\AppData\Roaming\SetValue.bat
    2011-12-25 13:12 . 2011-12-25 13:13 -------- d--h--w- c:\users\Administrator\HTC Legend filer
    2011-12-25 12:32 . 2011-12-25 12:53 -------- d--h--w- c:\users\Administrator\HTC Hero filer
    2011-12-24 13:48 . 2011-12-24 13:48 -------- d--h--w- c:\users\Administrator\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    2011-12-15 02:04 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-15 02:01 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 02:01 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 02:01 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-15 02:00 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-15 02:00 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-21 13:53 . 2011-09-02 17:04 414368 ---ha-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-21 11:40 . 2011-09-07 11:48 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-05-19 15:38 . 2011-09-08 21:38 94080 ---ha-w- c:\program files (x86)\Install Lightroom 3.exe
    .
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-09-02 3077528]
    "Facebook Update"="c:\users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-11-07 137536]
    "OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-21 718720]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2011-07-04 1605992]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "TSMResident"="c:\program files (x86)\ThinkPad\Tablettmeny\TSMRESIDENT.EXE" [2011-05-09 484856]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 213304]
    "CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 184120]
    .
    c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
    Skärmurklipp och start för OneNote 2010.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
    R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]
    R2 ASRSVC;ASR Service;c:\program files (x86)\ThinkPad\Tablettmeny\ASR\ASRSVC.exe [2010-10-27 79136]
    R2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [x]
    R2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-07 210896]
    R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2011-05-31 41320]
    R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-04-04 45496]
    R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2011-05-31 59240]
    R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]
    R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2011-07-04 148840]
    R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 13840]
    R2 SROSVC;Screen Reading Optimizer Service Program;c:\program files (x86)\Lenovo\Screen Reading Optimizer\SROSVC.exe [2011-03-02 443240]
    R2 TabletSVC;TABLET Service;c:\program files (x86)\ThinkPad\Tablettmeny\TSMService.exe [2011-05-18 83440]
    R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-04-20 144232]
    R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-03-29 64952]
    R3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
    R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2011-07-04 477032]
    R3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [x]
    R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
    R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft - nätverkskontroll;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 PCDSRVC{127174DC-C366ED8B-06020200}_0;PCDSRVC{127174DC-C366ED8B-06020200}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc_x64.pkms [2011-06-27 25584]
    R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2011-07-04 83304]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;tsusbhub; [x]
    S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [x]
    S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [x]
    S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1267000]
    S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys [x]
    S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    .
    .
    Innehåll i mappen 'Schemalagda aktiviteter':
    .
    2012-01-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1710067825-1136283663-2566881455-500Core.job
    - c:\users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-20 14:21]
    .
    2012-01-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1710067825-1136283663-2566881455-500UA.job
    - c:\users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-20 14:21]
    .
    2012-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1710067825-1136283663-2566881455-500Core.job
    - c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-29 11:16]
    .
    2012-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1710067825-1136283663-2566881455-500UA.job
    - c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-29 11:16]
    .
    2012-01-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:06]
    .
    2012-01-10 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:06]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2011-05-31 40808]
    "TpShocks"="TpShocks.exe" [2011-03-29 380776]
    "AcWin7Hlpr"="c:\program files (x86)\Lenovo\Access Connections\AcTBenabler.exe" [2011-04-14 31592]
    "ALCKRESI.EXE"="c:\program files\Lenovo\AutoLock\ALCKRESI.EXE" [2011-05-25 281960]
    "ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]
    "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2011-03-14 316032]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-30 167960]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-30 391704]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-30 418840]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-06-30 9048392]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    "AppInit_DLLs"=c:\windows\System32\guard64.dll
    .
    ------- Extra genomsökning -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = https://home.vrg.se
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\44rgjj9n.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - facebook.com
    .
    - - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{127174DC-C366ED8B-06020200}_0]
    "ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc_x64.pkms"
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (Administrator)
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,3b,1b,0c,17,ca,
    00,9a,bb,ea,08,b1,9f,bd,17,8d,6c,fb,d9
    "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,3b,1b,71,2e,90,
    6a,f2,63,4b,07,a3,f0,4c,fc,1c,7a,e5,64
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,3b,1b,74,cb,25,
    88,35,1f,d6,00,9a,c5,16,24,77,4a,25,dc
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,3b,1b,25,b7,e6,
    ac,16,5d,30,03,ae,2b,05,f3,01,cc,44,e5
    "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,3b,1b,f1,05,41,
    32,c1,08,0c,0c,bc,aa,88,e9,66,6c,04,8b
    .
    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (Administrator)
    "Timestamp"=hex:e8,c5,dd,da,72,69,cc,01
    .
    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,cd,29,60,03,3f,d3,45,b4,90,d4,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,cd,29,60,03,3f,d3,45,b4,90,d4,\
    .
    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\notepad.exe"
    .
    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Sluttid: 2012-01-11 00:59:19
    ComboFix-quarantined-files.txt 2012-01-10 23:59
    .
    Före genomsökningen: 256*131*993*600 byte ledigt
    Efter genomsökningen: 255*799*685*120 byte ledigt
    .
    - - End Of File - - C5757D201A4E7C2A6E357C3869677713
     
  22. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    Looks good.

    How is computer doing?

    Make sure you're in normal mode.
    See if you can update and run MBAM.
    Post the log.

    Post new Bootkit Remover log.
     
  23. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    Hi! The computer is doing much better. After restarting the computer after the TDSS scan, all the hidden files are back. Thanks a lot for the help :)

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Databasversion: v2012.01.11.06

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Administrator :: SR9EPGOY [administratör]

    2012-01-11 18:51:22
    mbam-log-2012-01-11 (18-51-22).txt

    Skanningstyp: Snabbskanning
    Aktiverade skanningsalternativ: Minne | Start | Register | Filsystem | Heuristik/Extra | Heuristik/Shuriken | PUP | PUM
    Inaktiverade skanningsalternativ: P2P
    Antal skannade objekt: 183952
    Förfluten tid: 4 minut(er), 14 sekund(er)

    Upptäckta minnesprocesser: 0
    (Inga skadliga poster hittades)

    Upptäckta minnesmoduler: 0
    (Inga skadliga poster hittades)

    Upptäckta registernycklar: 0
    (Inga skadliga poster hittades)

    Upptäckta registervärden: 0
    (Inga skadliga poster hittades)

    Upptäckta registerdataposter: 0
    (Inga skadliga poster hittades)

    Upptäckta mappar: 0
    (Inga skadliga poster hittades)

    Upptäckta filer: 0
    (Inga skadliga poster hittades)

    (klar)

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Enterprise Edition Service Pack 1 (build 7601),
    64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  24. Broni

    Broni Malware Annihilator Posts: 47,621   +267

    Good :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  25. Emerik

    Emerik TS Rookie Topic Starter Posts: 51

    OTL Extras logfile created on: 1/11/2012 7:22:35 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Administrator\Desktop
    64bit- Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: Sweden | Language: SVE | Date Format: yyyy-MM-dd

    3.89 Gb Total Physical Memory | 2.26 Gb Available Physical Memory | 58.03% Memory free
    7.78 Gb Paging File | 5.96 Gb Available in Paging File | 76.58% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 297.79 Gb Total Space | 238.39 Gb Free Space | 80.05% Space Free | Partition Type: NTFS

    Computer Name: SR9EPGOY | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
    .html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\SOFTWARE\Classes\<extension>]
    .html [@ = htmlfile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
    htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
    htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
    "{180C8888-50F1-426B-A9DC-AB83A1989C65}" = Windows Live Language Selector
    "{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
    "{1E9FC118-651D-4934-97BE-E53CAE5C7D45}" = Microsoft_VC80_MFCLOC_x86_x64
    "{23170F69-40C1-2702-0465-000001000000}" = 7-Zip 4.65 (x64 edition)
    "{3C41721F-AF0F-4086-AA1C-4C7F29076228}" = Programvaran Intel(R) PROSet för trådlösa WiFi-anslutningar
    "{42738DB0-FC3E-4672-A99B-9372F5696E30}" = Microsoft Security Client
    "{4569AD91-47F4-4D9E-8FC9-717EC32D7AE1}" = Microsoft_VC80_CRT_x86_x64
    "{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Aktivt skyddssystem
    "{502EE63C-9A62-4330-8F8B-1EAB51B7BB46}" = ThinkVantage Fingerprint Software
    "{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
    "{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    "{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
    "{8557397C-A42D-486F-97B3-A2CBC2372593}" = Microsoft_VC90_ATL_x86_x64
    "{88C6A6D9-324C-46E8-BA87-563D14021442}_is1" = ThinkVantage Communications Utility
    "{8BBA6F77-4A79-4E90-BD82-E24669ACF221}" = Adobe Photoshop Lightroom 3.4.1 64-bit
    "{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
    "{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
    "{90140000-002A-041D-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (Swedish) 2010
    "{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
    "{90BF0360-A1DB-4599-A643-95AB90A52C1E}" = Microsoft_VC90_MFCLOC_x86_x64
    "{925D058B-564A-443A-B4B2-7E90C6432E55}" = Microsoft_VC80_ATL_x86_x64
    "{92A3CA0D-55CD-4C5D-BA95-5C2600C20F26}" = Microsoft_VC90_CRT_x86_x64
    "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{A472B9E4-0AFF-4F7B-B25D-F64F8E928AAB}" = Microsoft_VC90_MFC_x86_x64
    "{C8C1BAD5-54E6-4146-AD07-3A8AD36569C3}" = Microsoft_VC80_MFC_x86_x64
    "{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
    "{DC911ADF-7B60-40F2-A112-FB1EB6402D07}" = Microsoft Security Client SV-SE Language Pack
    "{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
    "{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
    "{E224B44B-B5EB-4af3-A80A-A255358E241A}_is1" = ThinkVantage AutoLock
    "{F8D02DBB-9B81-4192-9E85-219AD0447920}" = Microsoft Antimalware Service SV-SE Language Pack
    "{FD8E178D-8B4E-42DA-B434-EFF270329B1C}" = COMODO Internet Security
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
    "CCleaner" = CCleaner
    "CNXT_AUDIO_HDA" = Conexant 20672 SmartAudio HD
    "LENOVO.SMIIF" = Lenovo System Interface Driver
    "LenovoAutoScrollUtility" = Lenovo Auto Scroll Utility
    "Microsoft Security Client" = Microsoft Security Essentials
    "OnScreenDisplay" = On Screen Display
    "PC-Doctor for Windows" = Lenovo ThinkVantage Toolbox
    "Power Management Driver" = ThinkPad Power Management Driver
    "ProInst" = Intel PROSet Wireless
    "SynTPDeinstKey" = ThinkPad UltraNav Driver
    "ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
    "WinRAR archiver" = WinRAR 4.01 (64-bit)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
    "{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
    "{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav-guiden
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1D7CE340-70C3-4848-BCCF-215950328A4C}" = Facebook Video Calling 1.0.0.8953
    "{1F77C418-2C90-459C-BD33-B56A4182B9FA}" = System Requirements Lab CYRI
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{25C64847-B900-48AD-A164-1B4F9B774650}" = System Update
    "{26903C89-780A-463E-8CBD-E47A73927254}" = ThinkPad Tablet Button Driver
    "{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java(TM) 6 Update 26
    "{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
    "{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{3521BDBD-D453-5D9F-AA55-44B75D214629}" = Adobe Community Help
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module
    "{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
    "{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
    "{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module
    "{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{79872596-B887-E700-8D56-CADBC78BA5DE}" = Adobe Download Assistant
    "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{8E537894-A559-4D60-B3CB-F4485E3D24E3}" = ThinkVantage Access Connections
    "{8FE96B14-E1F9-47BF-8BA1-A81467CD259B}_is1" = Yawcam 0.3.6
    "{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    "{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
    "{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{7D723ADD-8EE7-40A2-90A0-F8B29FE5026B}" =
    "{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
    "{90140000-0015-041D-0000-0000000FF1CE}" = Microsoft Office Access MUI (Swedish) 2010
    "{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
    "{90140000-0016-041D-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Swedish) 2010
    "{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
    "{90140000-0018-041D-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Swedish) 2010
    "{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
    "{90140000-0019-041D-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Swedish) 2010
    "{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
    "{90140000-001A-041D-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Swedish) 2010
    "{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
    "{90140000-001B-041D-0000-0000000FF1CE}" = Microsoft Office Word MUI (Swedish) 2010
    "{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
    "{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
    "{90140000-001F-040B-0000-0000000FF1CE}" = Microsoft Office Proof (Finnish) 2010
    "{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
    "{90140000-001F-041D-0000-0000000FF1CE}" = Microsoft Office Proof (Swedish) 2010
    "{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
    "{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
    "{90140000-002C-041D-0000-0000000FF1CE}" = Microsoft Office Proofing (Swedish) 2010
    "{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
    "{90140000-0044-041D-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Swedish) 2010
    "{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
    "{90140000-006E-041D-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Swedish) 2010
    "{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
    "{90140000-00A1-041D-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Swedish) 2010
    "{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
    "{90140000-00BA-041D-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Swedish) 2010
    "{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
    "{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
    "{9158FF30-78D7-40EF-B83E-451AC5334640}" = Adobe Photoshop CS5.1
    "{918A9082-6287-4D25-9002-5E5D5E4971CB}" = League of Legends
    "{91A29166-4E1B-4664-B70B-4C4A3B6B3372}" = Lenovo Screen Reading Optimizer
    "{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9a2db59f-091a-40b4-958d-1c8264624126}" = ThinkPad Tablettmeny
    "{9D3D2C60-A55F-4fed-B2B9-17311226DF01}" = ThinkPad Wireless LAN Adapter Software
    "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
    "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
    "{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
    "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
    "{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
    "{C6D4B05A-EA7E-1027-80EF-C925E740E99C}" = Intel(R) Identity Protection Technology 1.0.74.0
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
    "{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}" = ThinkPad Energispararen
    "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
    "{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel(R) Control Center
    "{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
    "{FE041B02-234C-4AAA-9511-80DF6482A458}" = RICOH_Media_Driver_v2.14.18.01
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "Adobe AIR" = Adobe AIR
    "Age of EMpires 2" = Age of Empires 2
    "chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
    "com.adobe.downloadassistant.AdobeDownloadAssistant" = Adobe Download Assistant
    "COMODO GeekBuddy" = COMODO GeekBuddy
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
    "Mobile Partner" = Mobile Partner
    "Mozilla Firefox 8.0.1 (x86 en-US)" = Mozilla Firefox 8.0.1 (x86 en-US)
    "Office14.PROPLUS" = Microsoft Office Professional Plus 2010
    "PokerStars" = PokerStars
    "ProInst" = Intel PROSet Wireless
    "Spotify" = Spotify
    "StarCraft II" = StarCraft II
    "TablEdit_is1" = TablEdit 2.71
    "uTorrent" = µTorrent
    "VLC media player" = VLC media player 1.1.2
    "WinLiveSuite" = Windows Live Essentials
    "WinPcapInst" = WinPcap 4.1.2
    "Zatacka_is1" = Zatacka 0.1.7

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-1710067825-1136283663-2566881455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 1/10/2012 6:25:09 PM | Computer Name = SR9EPGOY | Source = WinMgmt | ID = 10
    Description =

    Error - 1/10/2012 6:47:58 PM | Computer Name = SR9EPGOY | Source = WinMgmt | ID = 10
    Description =

    Error - 1/10/2012 6:50:37 PM | Computer Name = SR9EPGOY | Source = WinMgmt | ID = 10
    Description =

    Error - 1/10/2012 6:53:51 PM | Computer Name = SR9EPGOY | Source = VSS | ID = 18
    Description =

    Error - 1/10/2012 6:53:51 PM | Computer Name = SR9EPGOY | Source = VSS | ID = 8193
    Description =

    Error - 1/10/2012 6:53:51 PM | Computer Name = SR9EPGOY | Source = System Restore | ID = 8193
    Description =

    Error - 1/11/2012 2:24:43 AM | Computer Name = SR9EPGOY | Source = WinMgmt | ID = 10
    Description =

    Error - 1/11/2012 8:16:22 AM | Computer Name = SR9EPGOY | Source = WinMgmt | ID = 10
    Description =

    Error - 1/11/2012 11:59:31 AM | Computer Name = SR9EPGOY | Source = WinMgmt | ID = 10
    Description =

    Error - 1/11/2012 1:36:11 PM | Computer Name = SR9EPGOY | Source = Google Update | ID = 20
    Description =

    [ System Events ]
    Error - 1/2/2012 2:12:43 PM | Computer Name = SR9EPGOY | Source = Microsoft Antimalware | ID = 3002
    Description = %%860-funktionen för realtidsskydd har stött på ett fel och avslutats.

    Funktion:
    %%835 Felkod: 0x80004005 Felbeskrivning: Unspecified error Orsak: %%842

    Error - 1/3/2012 12:45:32 PM | Computer Name = SR9EPGOY | Source = Service Control Manager | ID = 7026
    Description = Följande start- eller systemstartdrivrutin(er) avbröts på grund av
    fel under start: cdrom

    Error - 1/3/2012 12:45:43 PM | Computer Name = SR9EPGOY | Source = Microsoft Antimalware | ID = 3002
    Description = %%860-funktionen för realtidsskydd har stött på ett fel och avslutats.

    Funktion:
    %%835 Felkod: 0x80004005 Felbeskrivning: Unspecified error Orsak: %%842

    Error - 1/3/2012 4:31:04 PM | Computer Name = SR9EPGOY | Source = Service Control Manager | ID = 7026
    Description = Följande start- eller systemstartdrivrutin(er) avbröts på grund av
    fel under start: cdrom

    Error - 1/3/2012 4:43:38 PM | Computer Name = SR9EPGOY | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 stötte på ett fel när signaturer skulle uppdateras. Ny signaturversion:
    Föregående signaturversion: 1.117.2126.0 Uppdateringskälla: %%859 Uppdateringsskede:
    %%853 Källsökväg: http://www.microsoft.com Signaturtyp: %%800 Uppdateringstyp: %%803

    Användare:
    NT AUTHORITY\SYSTEM Aktuell motorversion: Föregående motorversion: 1.1.7903.0 Felkod:
    0x80240022 Felbeskrivning: The program can't check for definition updates.

    Error - 1/3/2012 4:43:38 PM | Computer Name = SR9EPGOY | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 stötte på ett fel när signaturer skulle uppdateras. Ny signaturversion:
    Föregående signaturversion: 1.117.2126.0 Uppdateringskälla: %%859 Uppdateringsskede:
    %%853 Källsökväg: http://www.microsoft.com Signaturtyp: %%800 Uppdateringstyp: %%803

    Användare:
    NT AUTHORITY\SYSTEM Aktuell motorversion: Föregående motorversion: 1.1.7903.0 Felkod:
    0x80240022 Felbeskrivning: The program can't check for definition updates.

    Error - 1/3/2012 4:47:43 PM | Computer Name = SR9EPGOY | Source = bowser | ID = 8003
    Description =

    Error - 1/6/2012 11:24:48 AM | Computer Name = SR9EPGOY | Source = Service Control Manager | ID = 7026
    Description = Följande start- eller systemstartdrivrutin(er) avbröts på grund av
    fel under start: cdrom

    Error - 1/7/2012 6:51:50 PM | Computer Name = SR9EPGOY | Source = Service Control Manager | ID = 7026
    Description = Följande start- eller systemstartdrivrutin(er) avbröts på grund av
    fel under start: cdrom

    Error - 1/8/2012 12:37:07 PM | Computer Name = SR9EPGOY | Source = Service Control Manager | ID = 7026
    Description = Följande start- eller systemstartdrivrutin(er) avbröts på grund av
    fel under start: cdrom


    < End of report >
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.